When using Secure Agent for extraction, source system credentials (secrets) required for workflow execution are stored in a Secret Manager. This guide provides steps to set up workflows with Secure Agent and specify the secret details it uses during workflow execution.
Before you begin
Before configuring Secure Agent for workflow execution, ensure you have:
- A registered and active Secure Agent.
- Access to one of the supported secret stores: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, environment variable-based secret injection technique, or a custom secret store.
Configure secrets retrieval for workflow execution
Follow these steps to configure Secure Agent to retrieve secrets from a secret store required for the workflow execution. This is necessary for secure data access while running your workflows.
- AWS Secrets Manager: Select this option when you use AWS Secrets Manager to store your secrets. For configuring retrieval of the necessary secrets needed by the agent during workflow execution, see Configure secret retrieval from AWS Secrets Manager.
- Azure Key Vault: Select this option when you use Azure Key Vault to store your secrets. For configuring retrieval of the necessary secrets needed by the agent during workflow execution, see Configure secret retrieval from Azure Key Vault.
- GCP Secret Manager: Select this option when you use GCP Secret Manager to store your secrets. For configuring retrieval of the necessary secrets needed by the agent during workflow execution, see Configure secret retrieval from GCP Secret Manager.
- Environment variable-based retrieval: Select this option when you use environment variables to store your secrets. For configuring retrieval of the necessary secrets needed by the agent during workflow execution, see Configure secret retrieval from Environment variables.
- Custom secret store: Select this option when you use a Custom Secret store to store your secrets. For configuring retrieval of the necessary secrets needed by the agent during workflow execution, see Configure secret retrieval from custom secret store.
Configure secret retrieval from AWS Secrets Manager
Secure Agent retrieves the required secrets from AWS Secrets Manager during workflow execution. Follow these steps to configure retrieval under the Secure Agent configuration section:
- Secret path in Secret Manager: Provide the Amazon Resource Name (ARN) or the path of the secret that contains the sensitive configuration details required for the connector. These details may include credentials such as username, password, or other sensitive information needed by the Secure Agent to securely access data during workflow execution.
- AWS region: Select the region where your AWS Secrets Manager is located.
-
AWS authentication method: Select how you want the Secure Agent to authenticate when executing the workflow. Choose one:
- IAM (Recommended): Use this method if the secure agent was configured to use the AWS IAM permissions to access secrets.
- IAM Assume Role: Use this method if the agent was configured to access secrets via cross-account roles.
- AWS Assume Role ARN: Provide the IAM Role ARN that grants the Secure Agent permission to retrieve secrets.
- Access Key & Secret Key: Use this method if the agent was configured to use the AWS Access Key ID and Secret Access Key via environment variables or Kubernetes secrets.
Configure secret retrieval from Azure Key Vault
Secure Agent retrieves secrets from Azure Key Vault during workflow execution. Follow these steps to configure retrieval under the Secure Agent configuration section:
- Secret path in Secret Manager: Provide the URL of the Azure Key Vault secret that contains the sensitive configuration details required for the connector. These details may include credentials such as username, password, or other sensitive information needed by the Secure Agent to securely access data during workflow execution.
-
Azure authentication method: Select how you want the Secure Agent to authenticate when accessing the Azure Key Vault secret. Choose one:
- Managed Identity (Recommended): Use this method if the agent was configured to use an Azure-managed identity assigned to the agent environment for authentication.
- Service Principal Authentication: Use this method if the agent was configured to authenticate via a Service Principal using Tenant ID, Client ID, and Client Secret.
- Azure Key Vault Name: Provide the name of your Azure Key Vault that stores your secrets.
Configure secret retrieval from GCP Secret Manager
Secure Agent retrieves secrets from GCP Secret Manager during workflow execution. The secret is uniquely identified by its name in GCP Secret Manager, without requiring additional attributes.
Configure secret retrieval from Environment variables
Secure Agent retrieves secrets from environment variables during workflow execution.
Configure secret retrieval from Custom secret store
Secure Agent retrieves secrets from Custom Secret Store during workflow execution. Follow these steps to configure retrieval under the Secure Agent configuration section:
- Agent Custom configuration: Secure agent needs information for connecting to the custom secret store. Add the configuration details in JSON format to specify the connection settings and the secrets to retrieve during workflow execution. For example, the JSON configuration to initiate a sample custom store may look like below:
{
"store_url": "https://custom-secret-store.example.com",
"secret_name": "my-custom-secret"
}
Next steps
After configuring the Secure Agent, return to your connector’s setup guide and continue the workflow setup.